CreateRole
GCP
CreateRole
Event
Creates a custom IAM role in GCP with a specified set of granular permissions.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco creates a custom IAM role named pipeline_break_glass at the project level, packing it with permissions for IAM tampering (iam.roles.update, iam.serviceAccounts.actAs) and log-tampering (logging.logs.delete, logging.exclusions.create). Custom-role creation is a stealth move — it doesn’t immediately grant anyone anything, but it pre-positions a “blessed-looking” role that Draco will later bind to his own account via SetIamPolicy. Defenders that only watch role-binding changes miss this preparatory step.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.roles.create invocation-id/90000000000000000000001111101111 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T15:32:08.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.CreateRole", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod", "permission": "iam.roles.create", "granted": true, "resourceAttributes": { "service": "iam.googleapis.com", "name": "projects/fantasticlogs-prod", "type": "iam.googleapis.com/Project" } } ], "resourceName": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest", "parent": "projects/fantasticlogs-prod", "roleId": "pipeline_break_glass", "role": { "title": "Pipeline break-glass", "description": "Emergency access for OCCAMY pipeline maintenance", "includedPermissions": [ "iam.roles.update", "iam.serviceAccounts.actAs", "iam.serviceAccountKeys.create", "logging.logs.delete", "logging.exclusions.create", "compute.instances.setMetadata" ], "stage": "GA" } }, "response": { "@type": "type.googleapis.com/google.iam.admin.v1.Role", "name": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "title": "Pipeline break-glass", "description": "Emergency access for OCCAMY pipeline maintenance", "includedPermissions": [ "iam.roles.update", "iam.serviceAccounts.actAs", "iam.serviceAccountKeys.create", "logging.logs.delete", "logging.exclusions.create", "compute.instances.setMetadata" ], "stage": "GA", "etag": "BwSAMPLEetag1111=" } }, "insertId": "evt001111101111", "resource": { "type": "iam_role", "labels": { "project_id": "fantasticlogs-prod", "role_name": "projects/fantasticlogs-prod/roles/pipeline_break_glass" } }, "timestamp": "2026-04-15T15:32:08.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T15:32:08.567890123Z"}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...